home *** CD-ROM | disk | FTP | other *** search
- (*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)
- (*) (*)
- (*) The Lost Avenger And United Phreaker's Incorporated Proudly Presents (*)
- (*) (*)
- (*) UPi Newsletter Volume #1, Issue #3 (*)
- (*) (*)
- (*) What Corporate Users Should Know About Data Network Security (*)
- (*) (*)
- (*) Copyright 1991 - All Rights Reserved (*)
- (*) (*)
- (*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)(*)
-
- This article was originally published in Telecommunications - North America
- Edition May 1990. This article was republished without permission.
-
- What Corporate Users Should Know About Data Network Security
-
- By Stephen T. Irwin
-
- As network security becomes more critical, new approaches to preventing
- unauthorized use are evolving. Which kind of system is right for you needs?
-
- ----------------------------------------------------------------------------
-
- Sometime late night last year, hackers repeatedly broke into the network of
- the National Aeronautics And Space Administration (NASA) (TLA: Fucking right!)
- and helped themselves to free telephone service from one of the nation's most
- technically sophisticated agencies. Whether the purloined long-distance
- charges totaled over $12 million (TLA: Hmm, I think that's a little too high of
- a estimate), as reported in the Houston Chronicle, or "only" $10,000 (TLA:
- Naa!, I don't think that is accurate either), as NASA estimates, cannot be
- determined. In an alarming admission of its inability to monitor access to the
- highly sensitive network, NASA says that it does not know exactly how much was
- illegally charged to the agency.
-
- The break-in NASA is just one in a series of many such incidents that have
- brought into sharp relief the problem of protecting computer networks against
- theft and damage by unauthorized users. A recent government report, "Computers
- at Risk," stated that the nation's "computer and communications systems are
- vulnerable to potentially catastrophic security breaches..." Experts estimate
- that computer crime costs American business millions of dollars a year.
-
- In response to this threat, vendors have devised a variety of network
- access control devices designed to limit access to host computers. Available
- security systems fall into five major categories. They are:
-
- o host resident-based security software (TLA: No big deal.....easy to
- get though)
-
- o encryption devices that encode the data before transmission and decode
- it upon arrival at it destination (TLA: Ahh, ok this isn't too hard.
- They is a ways to get by this but is hard to come by)
-
- o call-back systems that call-back preprogrammed phone numbers (TLA:
- again no problem here to get by this security feature)
-
- o handheld password generators (TLA: It's hard to say anything about
- this one as I don't have much information on this type of security)
-
- o physical token or magnetic cards that are actually inserted into the
- remote computer or terminal and "read." (TLA: This sucks you have to
- be right at the terminal or PC in order to access this. But kind of
- stupid to since you can loose you key or card and then you screwed)
-
- These systems have advantages and disadvantages that must be weighed
- carefully by the telecom manager in light of the security needs of his or her
- company's computer system and the price/performance trade-offs of each
- solution. What follows is an examination of the leading security methods,
- analyzing their advantages, disadvantages, and cost-effectiveness.
-
- Host Computer Security Software
-
- Resident on the host computer, this method utilizes a password system that
- is relatively east to use - which is simultaneously its biggest advantage and
- disadvantage. The user at the remote site must first enter his or her computer
- the password, which is then transmitted through to the security software on the
- host. if incorrect, the password is rejected, and the remote user is blocked
- from further access.
-
- In theory, a password system is relatively secure. In practice, it is
- highly vulnerable approach. Passwords are generally widely available among the
- staff (in some cases, employees even tape the password to the side if their
- computer). It is a simple matter for outsiders (or former employees) to obtain
- a password from firebds within the company and break into the system, resulting
- in theft of information or damage to data.
-
- Depending on the specific package utilized, hostbased computer software can
- be expensive and timeconsuming to install, and can tie up the system
- administrator's time. If a password system is selected or already in use, it
- important to change the password at least once a month - preferably one a week.
- Keep in mind, however, that passwords are child's play for computer criminals
- (TLA: Hehe, like me) - particularly if the password is an actual work rather
- than an arbitrary string or letters and numbers. Computer thieves use simple
- spelling checkers to randomly generate almost an infinite number of words until
- they finally break in.
-
- (TLA: I have noticed for this type of security method that some accounts on a
- system have no passwords at all which means that the system is open to hackers.
- There is also the possibility that you can get into the system using the system
- default passwords (if there is any). Also, I have noticed that some account
- use personal information for the passwords or a lame number/word combination
- too. For example 1234 or the account name as the password or the guys real
- name for the password. So seriously that really puts the type of system method
- down the drain as for reliable and secure.)
-
- Encryption
-
- The encryption method generates an unreadable version of the data stream
- and is generally used when transmitting highly sensitive data, such as
- financial transfers between banks and other institutions. Most commercially
- available devices utilize the Data Encryption Standard (DES) algorithm to
- encrypt data. Most banks, however, use a MAC system of encryption in which the
- information is transmitted in readable form. Included with that information is
- transmitted in readable form. Included with that information is an encrypted
- message - based on the information transmitted - which will be incorrect if the
- information is changed or intercepted in any way. In other words, even if
- someone does break into the system and transforms a $1000 credit into $1
- million, the interference will be detected.
-
- Encryption systems are available as hardware, software, or a combination of
- the two. While the encrypted information itself is highly secure, in order to
- crack the code, a data thief must have a great deal of time and access to some
- heavy computing power. Thus, encryption methods of and by themselves do not
- necessarily ensure that the information is being accessed by an authorized
- user. Nor can users who are authorized to access some information be barred
- from acc"session" keys.
-
- The identification of authorized users in an encryption system requires the
- use of additional methods (and expense), such as software resident on the host
- computer. Encryption systems can also incur additional user of additional
- expense and administrative time as the needs of the system change. System
- administrators must initially set up the data access between the designated
- encryptors - not to mention the synchronization headaches that occur when
- locations of the devices are changed from one site to another. This can be a
- major problem when the system is expanded to accommodate a larger number of
- units and telephone lines.
-
- Also, to ensure the highest level of security, encryption devices are
- usually physically transported to the host site, where the "encryption key" is
- installed into the nonvolatile memory of the encryptor (or modem/encryptor) via
- the data port or a dedicated security port. It is possible to send the key to
- remote devices through the mail - which, of course, can be intercepted by a
- determined data thief.
-
- If the system manager wants to permit access to remote users for a specific
- time or application, a random one-time-only session key can be exchanged.
- (TLA: Hmm, this is kind of hard to get by as the key can be changed at any time
- and making hacking it hard to do.) A cryptographic fragment (based on the ANSI
- X-17 protocol) is generated, sent to the remote user's modem or encryptor
- device, used for the duration of the transmission, and the becomes invalid.
-
- (TLA: Well as for type of security I find that it's kind of hard to get by unle
- you have the right decryption code. Which for the Data Encryption Standard
- (DES) method is virtually impossible to get as there is hundreds of
- possibilities for the code. But then again nothing is impossible when you are
- a hacker.....hehe)
-
- Call-Back
-
- The highly publicized, sometimes spectacular computer break-ins in the
- 1980s fueled the development of the call-back system. Today, the majority of
- the network security devices in the market are call-back systems. They work in
- the following way: when the remote user dials in, the call-back unit intercept
- the call. These units can be configured on either the analog or digital side
- of the host modem. The user user then inputs a code or access number, which
- the call-back unit checks against its library of authorized users. The host
- computer then calls back the user at an authorized phone number, the user
- signals back and is allowed access to the computer.
-
- A variety of call-back systems can be put into place. Some systems allow
- users to enter a variety of phone numbers so that they can access the host
- computer from several sites (a type of "roaming" call-back). Some systems
- support a secure call-in mode whereby the caller enters an access code and is
- then passed directly to the host computer. Most systems incorporated a type of
- automatic disconnect after several unsuccessful attempt have been made at
- entry.
-
- Another feature of some call-back systems is a type of host port
- "deception" in which would-be illegal entrants cannot determine whether or not
- they have reached a modem. Some devices user voice synthesis requesting a code
- in order to "veil" the modem tone and disconnect if the code is invalid. (TLA:
- Come on a code?? That's the worst type of security method I have heard of.
- All you need to hack the code out is a program like Fuckin' Hacker or Code
- Thief. Geeze how lame!)
-
- A well-designed call-back system, such as Millidyne's Auditor system,
- should support what is know as modem-interchanged control (MI-MIC), which
- actually changes the modem's way of operating. This feature is advantageous
- because of the ability of a determined thief to piggyback onto phone calls in
- the instant when the remote user has hung up and the computer is calling back -
- an event known as "glare". Computer criminals with their "demon dialer"
- programs capable of automatically redialing a number will eventually seize on
- the return phone calls by the computer and gain access.
-
- To be effective, MI-MIC must be supported by both the local and remote
- modems. The call-back device, when calling back the designated number,
- actually seizes control of the remote modem by activating its MI-MIC Support
- leads. The host modem then acts as if it had initiated rather than answered
- the call. This serves two functions to foil would-be illegal entrants into
- the system. First, the modems assume reverse transmit and recieve frequencies
- so that even if the illegal user gets a return call from the host modem,
- his/her modem will not be able to exchange handshake protocols with host modem.
- Second, because the remote modem does not answer by transmitting an answer-back
- tone, the illegal entrant will not be aware that there was another modem on the
- line.
-
- Call-back systems offer many advantages for the system administrator. They
- are considered among the more secure systems on the market, and they are
- cheaper than using leased lines, which are generally not cost-effective for
- smaller companies.
-
- Most call-back systems have the ability to audit network activitproduce man
- uctivity, as well as security,
- can be improved with these call-back system reports. Call-back systems are
- also less expensive than encryption devices, and are easier to maintain.
- According to some estimates, encryption can cost as much as 50 percent more
- than call-back devices.
-
- Call-back systems, however, have some disadvantages. Telephone cost are
- high because the company assumes the cost when the system returns the call (and
- costs accelerate when data are transmitted for long stretches of time).
- However, many less expensive telecom options, such as WATS, or various MCI or
- Sprint services (TLA: How about AT&T?), can support call-back devices. And for
- employees calling the computer from a remote location, utilizing the company's
- WATS line or other discount telecom service is cheaper than billing the call to
- a credit card.
-
- Call-back functions, however, cannot be supported if the call is
- intercepted by a hotel operator, office receptionist, or other human voice.
- (Call-back, however, can be accomplished if the PBX utilizes voice synthesis,
- allowing the call to be passed through after the extension is entered.) While
- many call-back systems can be configured to allow a password and direct
- password through option to be utilizes for travelers, it is a less secure
- option. (This of course assumes that the hotel is equipped with an RJ-11
- jack.)
-
- (TLA: Well it might not cost as much to go through a service such as MCI or
- Sprint or a WATS line but still is going to cost quite a lot anyways, if you
- have a lot of people logging on and then have the system has to call you back.
- As for the direct passwords and normal password they aren't that hard to get
- through. As I mention earlier in this article there might be stupid people who
- don't even use one. - See above for more information -)
-
- Other Options
-
- About the size of a pocket calculator, the portable password generator
- can be issued to authorized personnel when a call-back is either impossible or
- undesirables. Each handheld password generator has a unique encryption key
- tied to the user's personal identification number (PIN). In response to a
- challenge from the network access control device (after the user enters his/her
- PIN number), the handheld device - which shares the same encryption algorithm
- as the access control device - generates a unique password that the user then
- enters into his PC or terminal. If correct, the user is passed through to the
- host computer.
-
- This system has advantages of enhanced security over a password-only
- system, yet requires only one phone call with no call-back in order to be
- effective. This is a cost-effective, relatively inexpensive and secure
- network access system.
-
- Finally, token devices are physical "keys" or magnetic cards that enable
- users to make to make one call to the host system. The caller accesses the
- host computer via a PC or terminal, and then, in order to obtain
- authentication, inserts a magnetic card or key into a reader or lock on the PC
- or terminal when asked to do so by the host computer. If correct, the caller
- is passed directly to the computer.
-
- The token system's disadvantages is that if a card or token is lost or
- stolen, a data thief can easily access the network. To maintain security, the
- lost tokens must be reported to the system administrator quickly so they can be
- immediately disabled.
-
- QSD Mailbox (NUA: 208057040540): UPi
-
- Member Listing
-
- Founder/President: The Lost Avenger (416)
- Vice President: Scarlet Spirit (416)
- Couriers: The Serious One (819)
- Programmers: Logic Master (514)
- Writers: Dantesque (416), Master Of Gold (Argentina)
-
- Node Listing
-
- -------------------------------------------------------------------------------
- Node BBS Name Area Baud Megs BBS Sysop
- Number Code Rate Program
- -------------------------------------------------------------------------------
- WHQ The Violent Underground 416 2400 85 Pc Board The Lost Avenger
- Node #1 The Shining Realm 416 2400 95 Telegard Scarlet Spirit
- -------------------------------------------------------------------------------
-
-
-